Http Request Smuggling in Cockroachdb
How Http Request Smuggling Manifests in Cockroachdb
Http Request Smuggling in Cockroachdb typically occurs when the database's HTTP API endpoints process malformed requests that exploit inconsistencies between front-end and back-end request parsing. Cockroachdb's HTTP interface, particularly its admin UI and SQL API endpoints, can be vulnerable when deployed behind certain reverse proxies or load balancers that handle request parsing differently than Cockroachdb itself.
// Vulnerable Cockroachdb HTTP handler pattern
func (s *httpServer) handleSQL(w http.ResponseWriter, r *http.Request) {
// Missing Content-Length validation
body, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
// Request smuggling can occur here if:
// 1. Front-end proxy strips Content-Length but keeps Transfer-Encoding
// 2. Back-end Cockroachdb processes both headers
// 3. Attacker crafts request to hide malicious payload
query := string(body)
result, err := s.execSQL(query)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(result)
}
The vulnerability manifests when Cockroachdb's HTTP server processes requests with both Content-Length and Transfer-Encoding headers, or when it accepts requests with malformed Content-Length values. This is particularly problematic in Cockroachdb's SQL-over-HTTP interface, where attackers can smuggle additional SQL queries or administrative commands.
# Example of request smuggling payload targeting Cockroachdb
POST /_admin/v1/sql HTTP/1.1
Host: cockroachdb.example.com
Content-Length: 4
Transfer-Encoding: chunked
0
POST /_admin/v1/sql HTTP/1.1
Content-Length: 25
SELECT * FROM users; DROP TABLE sensitive_data;
In Cockroachdb clusters, this vulnerability becomes more severe when multiple nodes are behind a load balancer. An attacker can target specific nodes by crafting requests that only certain Cockroachdb instances will process correctly, potentially leading to data exfiltration or denial of service across the cluster.
Cockroachdb-Specific Detection
Detecting Http Request Smuggling in Cockroachdb requires understanding its specific HTTP API endpoints and request handling patterns. middleBrick's scanning engine includes specialized checks for Cockroachdb's admin interface and SQL API endpoints, testing for the exact header parsing inconsistencies that affect Cockroachdb deployments.
# Using middleBrick CLI to scan Cockroachdb instance
middlebrick scan http://cockroachdb.example.com:8080 \
--target=cockroachdb \
--checks=request-smuggling \
--output=json
middleBrick tests Cockroachdb-specific endpoints including:
/_admin/v1/health- Health check endpoint/_admin/v1/sql- SQL query execution endpoint/_admin/v1/logs- Log retrieval endpoint/_status/vars- Metrics endpoint
The scanner sends Cockroachdb-specific request smuggling payloads designed to trigger the database's HTTP parser:
{
"test_cases": [
{
"name": "Cockroachdb Content-Length/Transfer-Encoding",
"request": {
"method": "POST",
"path": "/_admin/v1/sql",
"headers": {
"Content-Length": "4",
"Transfer-Encoding": "chunked",
"Content-Type": "application/json"
},
"body": "0\n\nPOST /_admin/v1/sql HTTP/1.1\nContent-Length: 25\n\nSELECT 1;"
}
}
]
}
Manual detection involves monitoring Cockroachdb's HTTP access logs for unusual patterns:
# Check for suspicious request patterns in Cockroachdb logs
grep -E "(Content-Length|Transfer-Encoding)" /var/log/cockroach/cockroach.log | tail -50
# Look for multiple SQL statements in single requests
sed -n 's/.*SQL query: "\(.*\)"/\1/p' /var/log/cockroach/cockroach.log | grep -E ";.*;"
Network-level detection using Wireshark or tcpdump can identify smuggling attempts by looking for HTTP requests with both Content-Length and Transfer-Encoding headers:
tcpdump -A -n -i eth0 port 8080 | grep -E "(Content-Length|Transfer-Encoding)" | head -20
Cockroachdb-Specific Remediation
Remediating Http Request Smuggling in Cockroachdb requires hardening the HTTP server configuration and implementing strict request validation. Cockroachdb's Go-based HTTP server can be configured to reject malformed requests before they reach application logic.
// Secure Cockroachdb HTTP handler with smuggling protection
func (s *httpServer) handleSQLSecure(w http.ResponseWriter, r *http.Request) {
// Immediately reject requests with both headers
if r.Header.Get("Content-Length") != "" && r.Header.Get("Transfer-Encoding") != "" {
http.Error(w, "Invalid request headers", http.StatusBadRequest)
log.Warnf("Request smuggling attempt blocked: %s", r.URL.Path)
return
}
// Validate Content-Length header format
contentLength := r.Header.Get("Content-Length")
if contentLength != "" {
if _, err := strconv.Atoi(contentLength); err != nil {
http.Error(w, "Invalid Content-Length", http.StatusBadRequest)
return
}
}
// Read and validate request body size
body, err := io.ReadAll(http.MaxBytesReader(w, r.Body, 1<<20)) // 1MB limit
if err != nil {
http.Error(w, "Request body too large", http.StatusRequestEntityTooLarge)
return
}
// Sanitize SQL input (additional layer)
if !s.validateSQLInput(body) {
http.Error(w, "Invalid SQL input", http.StatusBadRequest)
return
}
result, err := s.execSQL(string(body))
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(result)
}
// SQL input validation for Cockroachdb
func (s *httpServer) validateSQLInput(input []byte) bool {
// Simple validation to prevent smuggling of multiple statements
sql := string(input)
statements := strings.Split(sql, ";")
// Allow only single statement per request
if len(statements) > 2 || (len(statements) == 2 && strings.TrimSpace(statements[1]) != "") {
return false
}
// Check for dangerous patterns
dangerous := []string{"DROP", "DELETE", "TRUNCATE", "UPDATE"}
for _, keyword := range dangerous {
if strings.Contains(strings.ToUpper(sql), keyword) {
// Additional authorization check needed for dangerous operations
if !s.userHasPermission(r, keyword) {
return false
}
}
}
return true
}
Network-level protections should be implemented using reverse proxy configuration:
# Nginx configuration to prevent request smuggling upstream
upstream cockroachdb_cluster {
server cockroachdb-node1:8080;
server cockroachdb-node2:8080;
server cockroachdb-node3:8080;
}
server {
listen 80;
server_name cockroachdb.example.com;
# Remove Transfer-Encoding header to prevent smuggling
proxy_hide_header Transfer-Encoding;
# Strict Content-Length validation
location / {
if ($http_content_length !~ "^[0-9]+$") {
return 400;
}
# Maximum request size limit
client_max_body_size 1M;
proxy_pass http://cockroachdb_cluster;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# Health check endpoint
location /_admin/v1/health {
proxy_pass http://cockroachdb_cluster;
}
}
For production deployments, combine these approaches with middleBrick's continuous monitoring to ensure new vulnerabilities don't emerge as Cockroachdb versions change:
# GitHub Action workflow with middleBrick
name: API Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Scan Cockroachdb API
run: |
npm install -g middlebrick
middlebrick scan http://staging-cockroachdb:8080 \
--target=cockroachdb \
--fail-on-severity=high
env:
MIDDLEBRICK_API_KEY: ${{ secrets.MIDDLEBRICK_API_KEY }}